iec62443-4-2-FR-1
Req ID |
Re quirement name |
Supported by CIP |
Need ap plication support |
Need HW solution |
Status if supported by CIP |
|---|---|---|---|---|---|
CR-1.1 |
Human user ident ification and authe ntication |
TRUE |
FALSE |
FALSE |
Compl etedAdded packages passwd, login |
CR-1.1 RE(2) |
Mul ti-factor authe ntication for all i nterfaces |
TRUE |
FALSE |
FALSE |
Comple tedAdding package libpam-go ogle-auth enticator |
CR 1.2-RE(1) |
Unique ident ification and authe ntication |
FALSE |
TRUE |
FALSE |
N.A. |
CR-1.3 |
Account m anagement |
TRUE |
FALSE |
FALSE |
Compl etedAdded usermod package |
CR-1.4 |
I dentifier m anagement |
TRUE |
FALSE |
FALSE |
Compl etedAdded package adduser |
CR-1.5 |
Auth enticator m anagement - i nitialize auth enticator content |
TRUE |
FALSE |
FALSE |
Compl etedAdded package tp m2-tools, t pm2-abrmd |
CR- 1.5-RE(1) |
The authe nticators on which the company rely shall be protected via hardware mechanism |
TRUE |
FALSE |
TRUE |
Completed |
NDR-1.6 |
Wireless access m anagement |
TRUE |
TRUE |
FALSE |
I n-progres sWireless drivers to be included in CIP kernel |
NDR-1.6 RE(1) |
Unique ident ification and authe ntication |
TRUE |
TRUE |
FALSE |
I n-progres sWireless drivers to be included in CIP kernel |
CR-1.7 |
Strength of passw ord-based authe ntication |
TRUE |
FALSE |
FALSE |
Comple tedlibpam -cracklib |
CR-1.7 RE(1) |
Password g eneration and lifetime res trictions for human users |
TRUE |
FALSE |
FALSE |
Compl etedAdded packages passwd, login |
CR-1.7 RE(2) |
Password lifetime res trictions for all users (human, software process, or device) |
FALSE |
FALSE |
FALSE |
N.A. |
CR-1.8 |
Public key infra structure (PKI) cer tificates |
TRUE |
FALSE |
FALSE |
Compl etedAdded package openssl |
CR-1.9 |
Strength of public key-based authe ntication - check validity of signature of a given ce rtificate |
TRUE |
FALSE |
FALSE |
Compl etedAdded package openssl |
CR-1.9 RE(1) |
Hardware security for public key-based authe ntication |
TRUE |
FALSE |
TRUE |
Completed |
CR-1.10 |
Auth enticator feedback |
TRUE |
TRUE |
FALSE |
Compl etedAdded package openssl |
CR-1.11 |
Uns uccessful login attempts - limit number |
TRUE |
FALSE |
FALSE |
C ompleted, added package libpam-mo dules-bin |
CR-1.12 |
System use not ification |
FALSE |
TRUE |
FALSE |
N.A. |
NDR-1.13 |
Access via untrusted networks |
FALSE |
TRUE |
FALSE |
N.A. |
NDR-1.13 RE(1) |
Explicit access request approval |
FALSE |
TRUE |
FALSE |
N.A. |
CR-1.14 |
Strength of symmetric key-based authe ntication |
TRUE |
FALSE |
FALSE |
Compl etedAdded openssl package |
CR-1.14 RE(1) |
Hardware security for symmetric key-based authe ntication |
TRUE |
FALSE |
TRUE |
N.A. |
Tests reference and CIP recommendation
Req ID |
Status if supported by CIP |
IEC-62443-4-2 tests reference |
CIP recommendation |
|---|---|---|---|
CR-1.1 |
CompletedAdded packages passwd, login |
1. TC_CR1.1_12. TC_CR1. 1_2 |
The CIP platform complies with this requirement. Users can login through various interfaces (e.g. serial console, http etc).CIP based products may use variety of interfaces, this requirement mandates on each interface user or process or device should be uniquely identified and authenticated. |
CR-1.1 RE(1) |
CompletedAdded package libpam-cracklib |
Same as CR-1.1 |
|
CR-1.1 RE(2) |
CompletedAdding package libpam-googl e-authenticator |
None |
The CIP platform complies with this requirement by adding google MFA Debian package. However, CIP users can use their own way to achieve this MFA. |
CR-1.2 |
N.A. |
None |
The CIP platform can’t meet this requirement, CIP users should use their applications to meet this requirementAll components need to identify themselves. We recommend the usage of TPM generated id or certificates for device id, a process pid and the addition of the active user account. The pid must be logged in the processes lifetime as it changes after a process restart. |
CR1.2-RE(1) |
Unique identification and authentication |
FALSE |
TRUE |
CR-1.3 |
CompletedAdded usermod package |
1. TC_CR1.3_12. TC_CR1.3_23. TC_CR1. 3_3 |
|
CR-1.4 |
CompletedAdded package adduser |
||
CR-1.5 |
CompletedAdded package tpm2-tools, tpm2-abrmd |
1. TC_CR1.5_22. TC_CR1. 5_3 |
|
CR-1.5-RE(1) |
Completed |
None |
This requirement expects a secure storage, CIP added TPM tools. However, secure storage and any other tools needed should be met by CIP users based on their requirements. |
NDR-1.6 |
In-p rogressWireless drivers to be included in CIP kernel |
None |
|
NDR-1.6 RE(1) |
In-p rogressWireless drivers to be included in CIP kernel |
None |
|
CR-1.7 |
Completed libpam-cracklib |
||
CR-1.7 RE(1) |
CompletedAdded packages passwd, login |
||
CR-1.7 RE(2) |
N.A. |
None |
This is for SL-4 |
CR-1.8 |
CompletedAdded package openssl |
||
CR-1.9 |
CompletedAdded package openssl |
1. TC_CR1.9_12. TC_CR1.9_23. TC_CR1.9_34. TC_CR1.9_45. TC_CR1.9_56. TC_CR1. 9_6 |
|
CR-1.9 RE(1) |
Completed |
None |
It requires HW support, should be met by CIP users |
CR-1.10 |
CompletedAdded package openssl |
||
CR-1.11 |
Completed, added package lib pam-modules-bin |
||
CR-1.12 |
N.A. |
None |
CIP does not support this requirement, CIP users should implement notifications based on their require ments.Following are some guidelinesAPP: If the device has a HMI for an application requiring authentication, the application shall be able to display a configurable use notification message before the credentials are requested from the user. |
NDR-1.13 |
N.A. |
None |
CIP does not support this req uirement.Access of networks should be monitored using network security software and tools, only used ports should be open and unused ports should be blocked to avoid unauthorized access. |
NDR-1.13 RE(1) |
Explicit access request approval |
FALSE |
TRUE |
CR-1.14 |
CompletedAdded openssl package |
||
CR-1.14 RE(1) |
N.A. |
None |
Requires HW support |